Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: vt-ldap with multiple domain controllers

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: vt-ldap with multiple domain controllers

Chronological Thread 
  • From: Peter Schober <>
  • To:
  • Subject: Re: [grouper-users] RE: vt-ldap with multiple domain controllers
  • Date: Tue, 11 Dec 2012 23:54:41 +0100
  • Organization: ACOnet

* Gagné Sébastien
[2012-12-11 21:19]:
> I understand that DNS load distribution isn't a bullet proof way to
> be highly available, but if there's a new DNS lookup chances are
> (80% in that case) it'll return the IP of an available
> controller. It seems though that the price to pay to have that is
> rather high (no caching).

There's the other aspect of the problem: Once a node is down also new
connections will be continued to be routed to it. How do stop that
from happending? Putting all LDAP servers in a seperate DNS zone and
have a really really low TTL on that? But then some clients (not your
properly configured JVM + vt-ldap + Grouper, but still) will cache and
continue to talk to the "known bad" node. Quite a mess.

> Has anyone had any experience using a physical load balancer in
> front of LDAP servers ? This could be another option, probably a
> better one, it'll always be the same IP/URL and it'll detect if the
> controller is down or not.

Yes. Expensive and worth it, esp. for an enterprise directory.
A real loadbalancer usually has its own checking configuration (or
DSL or embedded programming language) which e.g. could excercise an
API or what have you and simply remove failing nodes without any
changes to clients, DNS, etc. which you usually don't fully control.
Much easier to handle failure modes, more flexible (take nodes in and
out of service in seconds), can do more elaborate variants of load
distribution (least connection routing, etc.), and so on.
So if cou can afford it, it's no question/comparison really.

Archive powered by MHonArc 2.6.16.

Top of Page